Raising troubling questions about the reliability of government-mandated cryptography certifications used around the world, scientists have unearthed flaws in Taiwan's secure digital ID system that allow attackers to impersonate some citizens who rely on it to pay taxes, register cars, and file immigration papers.

The crippling weaknesses uncovered in the Taiwanese Citizen Digital Certificate program cast doubt that certifications designed to ensure cryptographic protections used by governments and other sensitive organizations can't be circumvented by adversaries, the scientists reported in a research paper scheduled to be presented later this year at the Asiacrypt 2013 conference in Bangalore, India. The flaws may highlight shortcomings in similar cryptographic systems used by other governments around the world since the vulnerable smartcards used in the Taiwanese program passed the FIPS 140-2 Level 2 and the Common Criteria standards. The certifications, managed by the National Institute of Standards and Technology (NIST) and its counterparts all over the world, impose a rigid set of requirements on all cryptographic hardware and software used by a raft of government agencies and contractors.

“Trivially broken keys”

The team of scientists uncovered what their paper called a "fatal flaw" in the hardware random number generator (RNG) used to ensure the numbers that form the raw materials of crypto keys aren't based on discernible patterns. Randomness is a crucial ingredient in ensuring adversaries can't break the cryptographic keys underpinning the smartcards issued to Taiwanese citizens.

Out of slightly more than 2 million 1024-bit RSA keys the researchers examined, an astonishing 184 keys were generated so poorly they could be broken in a matter of hours using known mathematical methods and standard computers to find the large prime numbers at their core. Had the keys been created correctly, breaking them so quickly would have required a large supercomputer or botnet. That even such a small percentage of keys were found to be so easily broken underscores the fragility of cryptographic protections millions of people increasingly rely on to shield their most intimate secrets and business-sensitive secrets.

"The findings are certainly significant for the citizens who have been issued flawed cards, since any attacker could impersonate them online, the research team wrote in an e-mail to Ars. "More broadly, our research should give pause to any of the many countries that are rolling out this kind of national public key infrastructure. These smart cards were certified to respected international standards of security, and errors led to them generating trivially broken cryptographic keys. If a technologically advanced government trying to follow best practices still has problems, who can get this right?"

Stacking the deck

The research is being published two weeks after documents leaked by former National Security Agency (NSA) contractor Edward Snowden outlined the covert hand intelligence agents have played in deliberately weakening international encryption standards. As a result, the NSA and its counterparts in the UK can most likely bypass many of the encryption technologies used on the Internet. Cryptographers involved in, and independent of, the research agreed that the weaknesses exposed in the paper were almost certainly the result of human error, rather than deliberate sabotage. They based that assessment on the observation that the predictable patterns caused by the malfunctioning PRNG were so easy to spot.

"Some of the primes discovered in this work are so obviously non-random that, if they were the result of deliberate weaknesses, then I'd be asking for my money back from my three-letter agency," Kenneth G. Paterson, a Royal Holloway scientist who has seen the paper, told Ars. "Because they would clearly not have been doing a very good job in hiding their footprints."

Still, the fact that Taiwan's extremely weak RNGs passed stringent validation processes is troubling. An RNG that picks prime numbers in predictable ways is in some ways the cryptographic equivalent of a blackjack croupier who arranges a deck of cards so they're dealt in a way that puts the gambler at a disadvantage. Properly implemented RNGs, to extend the metaphor, are akin to a relief dealer who thoroughly shuffles the deck, an act that in theory results in the strong likelihood the cards never have and never again will be arranged in that exact same order.

Enlarge/ A slide from a recent presentation detailing the 119 primes shared among 103 of the weak cards used in Taiwan's Citizen Digital Certificate program.

There's no way to rule out the possibility that the NSA, or intelligence agencies from other nation states, didn't already know about the vulnerability in Taiwan's crypto program or about programs in other countries that may suffer from similar weaknesses. The inability of the certifications to spot the fatally flawed RNGs suggests the standards offer far less protection than many may think against subtle flaws that either were intentionally engineered by intelligence agencies or were exploited after being discovered by them.

The researchers began their project by examining almost 2.2 million of the Taiwanese digital certificates secured with 1024-bit keys (newer cards have 2048-bit RSA keys). By scanning for pairs of distinct numbers that shared a common mathematical divisor, they quickly identified 103 keys that shared prime numbers.

A little more than 100 keys that shared primes out of a pool of 2 million makes for an infinitesimally small minuscule percentage, but in the eye of a trained cryptographer, it flags a fatal error. When generating a 1024-bit RSA key, there are an almost incomprehensible 2502 prime numbers that can be picked to form its mathematical DNA, Mark Burnett, an IT security analyst and author, estimates. That's many orders of magnitude more than the 2266 atoms in the known universe. If all these primes are properly mixed up and evenly distributed in a large digital pot—as is supposed to happen when being processed by a correctly functioning RNG—no two primes should ever be picked twice. By definition a prime is a number greater than one that has no positive divisors other than 1 and itself.

Enlarge/ A summary of the data flow leading to successful factorizations of the Digital Citizen Card used in Taiwan.

Bernstein, et al.

And yet, 103 of the keys flagged by the researchers factored into 119 primes. The anomaly was the first unambiguous sign that something horribly wrong had gone on during the key-generation process for the Taiwanese smartcards. But it wasn't the only indication of severe problems. The researchers sifted through the shared primes and noticed visible patterns of non-randomness that allowed them to factor an additional 81 keys, even though they didn't share primes. Once the primes are discovered, the underlying key is completely compromised. Anyone with knowledge of the primes can impersonate the legitimate card holder by forging the person's digital signature, reading their encrypted messages, and accessing any other privileges and capabilities afforded by the card.

Edit: to be fair, there is no evidence the NSA is behind this. The fact remains that backdoors reduce security for everyone. Whether this is a very poorly executed backdoor or just bad review processes isn't really clear.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

They're always certain they're so incredibly smart that no one will ever find the backdoor besides themselves.

The team of scientists uncovered what their paper called a "fatal flaw" in the hardware random number generator (RNG) used to ensure the numbers that form the raw materials of crypto keys aren't based on discernible patterns. Randomness is a crucial ingredient in ensuring adversaries can't break the cryptographic keys underpinning the smartcards issued to Taiwanese citizens.

Looks like we may have to put bits of radioactive material into every piece of hardware needing a good random number generator.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens; even if there isn't a single connection linking the two instances.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens - even if there isn't a single connection linking the two instances.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens - even if there isn't a single connection linking the two instances.

Does it matter if bad crypto is caused by incompetence or malice?

If you're pointing fingers at someone with a baseless claim - yeah, it kind of does. NSA is (deservedly so, I might add) the whipping boy at the moment, but not everything that "goes bump in the night" is their fault. This is neither the first, and I'll bet it won't be the last time an encryption scheme has been found to be flawed - through no intentional fault or backdooring. Simply a flawed scheme that didn't pass muster when put under intense scrutiny.

The real news to get out of this article is that fact that certifications like FIPS apparently don't mean shit.

It is long past time for the scheduling of an open conference devoted to secure cryptography. The conference needs to be broken down into functional groups:

a) secure messaging (keys held at the client level and unknown to the "server", if any)b) secure transmission (something better than VPN/SSL/TLS and uncompromised by three-letter agencies)c) secure generation (routines established that meet the standards of randomness necessary for proper key generation)d) secure dissemination in an open-source manner of all the abovee) the establishment of open-source working groups devoted to accomplishing the above objectivesf) the establishment of a coordinating body to shephard the above objectivesg) other topics unbeknownst the the author of this comment

Failure to do so will mean fragmentation of the efforts surrounding secure cryptography and the enhancement of three-letter agencies to "pick off" the objectives one-by-one.

This just tells me the verification process is broken, has not properly looked at the random nature of the RNG being used, otherwise we wouldn't be finding the out right broke behavior in certain modules in Windows, Android, and dozens of other examples.

Some can be fix other cannot ( or can and its simply cheaper to trash and replace ).

I don't see how this story has anything to do with the NSA though.

Furthermore this sort of hardware being broken could be bad for the NSA considering their identification cards to access their computers could have similar problems in theory, along with every single government employee, with a Smart card used to access a secure infrastructure.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens - even if there isn't a single connection linking the two instances.

Does it matter if bad crypto is caused by incompetence or malice?

It does, as a matter of fact.

If someone breaks your front door by accident, there's only a chance that they take the occasion to steal something from your home, where a malicious breaking of your front door is a guaranteed smash-and-grab that will lighten your home of a few valuable electronic devices.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens - even if there isn't a single connection linking the two instances.

Well, the NSA is the bad boy of today, and unless you can prove that they aren't involved in this, then they are... Can't prove a negative, but it does lead to a lot of speculation!

That's a load of BS. The complete lack of evidence is not in and of itself, proof.

im a little confused. 184 out of 2 million is .0092 percent. so 9 one thousands of a percent right? this doesnt sound like that big of a deal. I read the article and some of it appeared to be over my head. Can someone explain how .0092 percent is bad?

im a little confused. 184 out of 2 million is .0092 percent. so 9 one thousands of a percent right? this doesnt sound like that big of a deal. I read the article and some of it appeared to be over my head. Can someone explain how .0092 percent is bad?

If it's not 0%, the cryptographic scheme (in this case, the RNG) is flawed. It's as simple as that.

im a little confused. 184 out of 2 million is .0092 percent. so 9 one thousands of a percent right? this doesnt sound like that big of a deal. I read the article and some of it appeared to be over my head. Can someone explain how .0092 percent is bad?

The expected result from the test they did was 0.000000000000000000000% The fact it isn't, means the system is horribly broken, and they only scratched the surface. Spend more compute hours and the % will go up.

im a little confused. 184 out of 2 million is .0092 percent. so 9 one thousands of a percent right? this doesnt sound like that big of a deal. I read the article and some of it appeared to be over my head. Can someone explain how .0092 percent is bad?

I'm sure someone else with a stronger crypto background can do better, but here's the really short, simple explanation:

In a crypto system like this, the odds that even two would be the same are supposed to so small that it wouldn't happen if you generated keys all day every day for a thousand years.

They have found 184 in a few hours. 184 is 92 times of the "expected" error rate, so it's a really, really large flaw.

In the spy world; wouldn't you want to first establish a break in the underlying tech in order to attain better legitimacy?Being that once the flaw becomes known, people (the government) react and issue a new 'secured' card.

Unbeknownst to the issuer the replaced card is now given to the spy, with which the government now relaxes its security measures.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens; even if there isn't a single connection linking the two instances.

However, there is plenty of secondary evidence that shows that they are very likely involved. Furthermore, as detailed in other Ars articles, as well as many other publications, it has been shown that the NSA has weakened international standards. So, every flaw that comes to light after that is a result of their meddling, regardless of nationality.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens; even if there isn't a single connection linking the two instances.

However, there is plenty of secondary evidence that shows that they are very likely involved. Furthermore, as detailed in other Ars articles, as well as many other publications, it has been shown that the NSA has weakened international standards. So, every flaw that comes to light after that is a result of their meddling, regardless of nationality.

Uh huh. Tell me again how a piece of flawed RNG hardware (made by a Japanese company) using a weak scheme like 1024bit RSA (something the NSA and various other cryptographic experts have said is weak) is somehow the fault of the NSA?

Your overreaching paranoia doesn't help the argument against the NSA at all - it weakens it, by labeling the people who speak out against it as paranoid cooks who blame everything on the NSA even when there's a total lack of evidence or connection. Where's this magical "secondary" evidence, you speak of? You mean the intentional weakening of that ECC crypto - which already wasn't used because it was known to be weak almost from the outset? There's literally no connection there.

im a little confused. 184 out of 2 million is .0092 percent. so 9 one thousands of a percent right? this doesnt sound like that big of a deal. I read the article and some of it appeared to be over my head. Can someone explain how .0092 percent is bad?

If it's not 0%, the cryptographic scheme (in this case, the RNG) is flawed. It's as simple as that.

The expected result from the test they did was 0.000000000000000000000% The fact it isn't, means the system is horribly broken, and they only scratched the surface. Spend more compute hours and the % will go up.

Never attribute to malice what can be sufficiently explained by incompetence.

-NSA undermines one particular implementation of one particular algo-Conclude there is a massive government conspiracy to undermine all crypto implementations-Frame all articles regarding cryptographic flaws under this assumption

Next you're going to tell us that AES and ECC were purposely hobbled to appease interests from Big Numbers.

These cards wouldn't be such a problem if governments didn't want to issue their citizens prisoner numbers at birth. Free governments should have no reason to be quantifying and identifying their citizens. There is no need for such a wasteful expenditure except control.

These cards wouldn't be such a problem if governments didn't want to issue their citizens prisoner numbers at birth. Free governments should have no reason to be quantifying and identifying their citizens. There is no need for such a wasteful expenditure except control.

These cards wouldn't be such a problem if governments didn't want to issue their citizens prisoner numbers at birth. Free governments should have no reason to be quantifying and identifying their citizens. There is no need for such a wasteful expenditure except control.

The Census.

A Census doesn't need to be accurate. It just needs to give a general idea. There is no need to demand an actual accounting.

im a little confused. 184 out of 2 million is .0092 percent. so 9 one thousands of a percent right? this doesnt sound like that big of a deal. I read the article and some of it appeared to be over my head. Can someone explain how .0092 percent is bad?

The expected result from the test they did was 0.000000000000000000000% The fact it isn't, means the system is horribly broken, and they only scratched the surface. Spend more compute hours and the % will go up.

Thanks to culus for this explanation.

My slightly more long-winded explanation:

article wrote:

A little more than 100 keys that shared primes out of a pool of 2 million makes for an infinitesimally small percentage, but in the eye of a trained cryptographer, it flags a fatal error. When generating a 1024-bit RSA key, there are an almost incomprehensible 2^502 prime numbers that can be picked to form its mathematical DNA, Mark Burnett, an IT security analyst and author, estimates. That's many orders of magnitude more than the 2^266 atoms in the known universe. If all these primes are properly mixed up and evenly distributed in a large digital pot—as is supposed to happen when being processed by a correctly functioning RNG—no two primes should ever be picked twice. By definition a prime is a number greater than one that has no positive divisors other than 1 and itself.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens; even if there isn't a single connection linking the two instances.

It also appears the test lab was based in Canada. Not sure how the lab missed this though.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens; even if there isn't a single connection linking the two instances.

It also appears the test lab was based in Canada. Not sure how the lab missed this though.

im a little confused. 184 out of 2 million is .0092 percent. so 9 one thousands of a percent right? this doesnt sound like that big of a deal. I read the article and some of it appeared to be over my head. Can someone explain how .0092 percent is bad?

if out of 2 million cars 184 cause a deadly accident because the brakes fail, is that a big deal ? would YOU continue to drive one of the other 1,9999 million because the are 'safe'?

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens; even if there isn't a single connection linking the two instances.

However, there is plenty of secondary evidence that shows that they are very likely involved. Furthermore, as detailed in other Ars articles, as well as many other publications, it has been shown that the NSA has weakened international standards. So, every flaw that comes to light after that is a result of their meddling, regardless of nationality.

Uh huh. Tell me again how a piece of flawed RNG hardware (made by a Japanese company) using a weak scheme like 1024bit RSA (something the NSA and various other cryptographic experts have said is weak) is somehow the fault of the NSA?

Your overreaching paranoia doesn't help the argument against the NSA at all - it weakens it, by labeling the people who speak out against it as paranoid cooks who blame everything on the NSA even when there's a total lack of evidence or connection. Where's this magical "secondary" evidence, you speak of? You mean the intentional weakening of that ECC crypto - which already wasn't used because it was known to be weak almost from the outset? There's literally no connection there.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens - even if there isn't a single connection linking the two instances.

The NSA seems to think this is a giant game of Jenga. They say, "Oh, we'd like a backdoor for...um...security, that's it." So they remove a block, but the block they pull is from the bottom of the structure. And every block above the one they pulled one out is everyone else that relies on this encryption. And then the pieces start to fall.

There is literally no evidence to support the NSA is behind this. There's a fine line between healthy paranoia and awareness of what a government body like the NSA is capable of, and outright boogeyman claims where they get blamed for every little thing that happens; even if there isn't a single connection linking the two instances.

However, there is plenty of secondary evidence that shows that they are very likely involved. Furthermore, as detailed in other Ars articles, as well as many other publications, it has been shown that the NSA has weakened international standards. So, every flaw that comes to light after that is a result of their meddling, regardless of nationality.

Uh huh. Tell me again how a piece of flawed RNG hardware (made by a Japanese company) using a weak scheme like 1024bit RSA (something the NSA and various other cryptographic experts have said is weak) is somehow the fault of the NSA?

Your overreaching paranoia doesn't help the argument against the NSA at all - it weakens it, by labeling the people who speak out against it as paranoid cooks who blame everything on the NSA even when there's a total lack of evidence or connection. Where's this magical "secondary" evidence, you speak of? You mean the intentional weakening of that ECC crypto - which already wasn't used because it was known to be weak almost from the outset? There's literally no connection there.

One thing to keep in mind. There is primary evidence that the NSA and GCHQ have weakend international encryption standards. The govenrment documents that have been leaked by Snowden.

As for me begin paranoid, damned right I am.

None of that is secondary evidence. It's not even circumstantial as it has jack shit to do with the current article, unless you can prove there's a backdoor in RSA (an algorithm that's been around for decades) those recent articles that have to do with "recent NSA motives" have absolutely no bearing on this.

Actually, reading the article again, it is not clear to me that there is a problem in the smart cards themselves. Instead, it appears to be an issue in the personalization process, where individual keys are generated.

If so, then the comments about the failure of certification processes are off the mark.

Could we have some clarification of this point? Where were the keys actually generated?